iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A major cyber attack on the UK’s electoral regulator affecting 40 million voters has brought voter trust in the agency into question after it was revealed that the attack had been hidden for some time following its discovery.
The UK Electoral Commission announced that the attack was undetected for an entire year, starting as far back as August 2021, and that the public was not informed for another 10 months after it was discovered.
Attacks on the democratic process are widely considered to be as damaging as attacks can get, due to their potential to influence decisions that could change a nation and the world.
When the attack was first discovered in October, it was reported to the Information Commissioner’s Office (ICO) and the National Crime Agency within 72 hours, but only now has the public been informed that their data as registered voters could have been compromised.
The threat actors, according to a release issued by the Electoral Commission, said that the hackers gained access to reference copies of the electoral registers, which it said it was holding for research purposes “and to enable permissibility checks on political donations”.
These copies included those who had chosen to opt out of having their details kept available on the public register.
This data included the “name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters”.
“The registers did not include the details of those registered anonymously,” it said.
While the Electoral Commission can identify which files were accessible, it is unable to conclude which ones were specifically accessed by threat actors.
It has also said that the breach is not considered high risk, despite the personal data affected by the incident, which includes:
In addition, the Electoral Commission has said its email servers were also left vulnerable in the attack.
The commission has not released significant details on this, just saying that it is “also unlikely to present a high risk to individuals unless someone has sent us sensitive or personal information in the body of an email, as an attachment or via a form on our website, such information may include medical conditions, gender, sexuality, or personal financial details”.
“Information related to donations and/or loans to registered political parties and non-party campaigners is held in a system not affected by this incident,” it said.
Concerns have been raised as to why the commission withheld news of the breach for such a long period, to which commission chair John Pullinger said was to protect its systems from further threats.
“If you go public on a vulnerability before you have sealed it off, then you are risking more vulnerabilities,” Pullinger said.
Pullinger called the attack “very sophisticated”, adding that the threat actors had used software in an effort to evade system security.
The commission has said it has worked with security experts to secure its systems and investigate the breach and that individuals do not need to take any immediate action. Anyone registered to vote between 2014 and 2022 has been advised to remain vigilant and contact the commission’s data protection officer if there are any concerns over personal data security.
The implications of a cyber attack that could affect a nation’s democracy are dire. While the commission has said that this attack did not affect voting or democracy, the fact that the hackers were able to access systems from as early as August 2021 shows that they were not a small group looking for money, but a highly sophisticated operation.
The threat group, which is currently unknown, could be looking for weaknesses in the UK’s democratic process for future attacks.
The entire incident has further bolstered the argument of not moving to an e-voting system, and sticking to traditional paper ballots.
Be the first to hear the latest developments in the cyber industry.
